**Corresponding ticket**: [[!tails_ticket 5766]].

Tails should ship a (non-default) web browser profile that would not
trust the CA cartel, but instead use some alternative, more agile and
stronger trust system.

[[!toc levels=2]]

Candidates
==========

* Monkeysphere: [[!tails_ticket 5763]]
* Convergence: [[!tails_ticket 6102]]
* TACK
* EFF's sovereign keys
* Google's proposal

Criteria
========

* beware of the browser fingerprint

Implementation
==============

Iceweasel profile
-----------------

We should now provide a second iceweasel profile with all root CAs
disabled.

One way to do it would be to `dpkg-divert libnssckbi.so` by default,
extract all the CAs from the original `libnssckbi.so` and stuff them
into the "normal X.509 usage" profile's DB.

See also the `mozilla/security/nss/lib/ckfw/builtins/README` file in
the `nss` package source tree ([read
online](https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/README))
to learn how to build a `libnssckbi.so` with a custom list of
builtin CAs.

According to [a blog
post](http://blog.rupamsunyata.org/2008/06/30/consolation-prize.xhtml),
`certutil` may be an adequate tool for the task:

        apt-get install libnss3-tools
        certutil -d $HOME/.mozilla/firefox/$HLAGHLLAGHGAAHLGALHHGHLAGH.default -A -n 'CA Cert Signing Authority - Root CA' -t CT,C,C -i /etc/ssl/certs/root.pem

What does not work is to disable this module for the no-CAs profile
using:

    modutil -dbdir PROFILE_DIR -disable "NSS Internal PKCS #11 Module"

The Freepto folks are working on wrappers around `certutil`:

* <http://lists.autistici.org/message/20141013.235706.2496a2bc.en.html>
* <https://github.com/boyska/freepto-lb/blob/r-berenjena/config/hooks/certificates.chroot>
* <https://github.com/boyska/freepto-lb/blob/r-berenjena/config/includes.chroot/usr/local/bin/add-cert-to-firefox>

It's also possible to use the [cert_override.txt
mechanism](https://developer.mozilla.org/en-US/docs/Cert_override.txt)
to add certificate exceptions.

Adding a CA can [be done with an
add-on](https://github.com/moba/cacert-firefox-addon).
Presumably removing or distrusting one can too.
